SCADA Security Regulation

Sometimes it helps to escape the bubble to get new information and fresh thoughts. Below are three recent information points and four observations on regulation and real security after a long trip outside the US. Some of the observations are not new, but they are big issues that tend to get lost in the day-to-day dealings with CIP compliance.

The information points:

  1. The latest entry in the Matrikon/Honeywell blog series on NERC CIP highlights that blackstart power plants are no longer part of the brightline criteria in Version 5 (Criteria 2.4 and 2.5 of Attachment 1 of CIP-002-5). This means the blackstart plants would only need to meet the low impact security requirements, and the percentage of power plants that would need to meet the medium or high impact security requirements will likely be even smaller than the 4.4% in the last survey.
  2. The Dept of Energy just issued an Information Collection Request to 17 electric utilities as input to their Electric Sector Cybersecurity Risk Management Maturity Initiative (ht: @pjcoyle). The multiple choice questionnaire is 39 pages long with 118 questions. Most of the questions are “current level of effort” type questions with a form of are you doing x? Yes, Partially, and No as answers.
  3. Non-US/Canada electric utilities are a growing percentage of our business and exceed our US electric utility business, small sample size since Digital Bond is a small company. These foreign utilities, unhampered by the level of effort to meet regulation, are making dramatically more progress securing their SCADA and DCS compared to their US counterparts. It reminds me of working with US utilities circa 2005 when CIP paperwork was not a burden. Focus is on efficient risk reduction rather than compliance.

Four observations:

  1. The CIP regulations are making security conscious utilities less secure. I wrote this two years ago and even had a graphical estimate, but it is confirmed when you work with security conscious utilities who don’t have NERC CIP compliance issues. The problem is many utilities, US and otherwise, are not security conscious and would do little or nothing if not required by regulation.
  2. CIP regulations are clearly aimed at securing the “bulk electric system” and not at providing the appropriate level of security controls for an individual company. Companies can and are accepting significant risk by using CIP as there main driver of what is required in their cyber security program. This is compounded by the CIP avoidance exercise performed by many utilities.
  3. Regulation should focus on incentivizing security action rather than rewarding avoidance. Why should finding and fixing security issues cause paperwork and potential fines? The CIP regulations incentivize minimizing the Critical Assets and Critical Cyber Assets, minimizing any vulnerability assessments, minimizing security monitoring, … What regulation would work is a very hard problem, but less specificity on controls and detailed records is the right direction. We are churning up people, time and money with minimal benefit with CIP.
  4. The security conscious utilities around the world have more than senior management support for cyber security; they have senior management driving security, sometimes over the objections of the project teams. I’ve been trying to figure out what caused these C-level leaders to care so much about security, and more often than not it is an external conversation, event or incident rather than their IT or security teams convincing them of the importance of the issue. Outside influences not bottom up information is making the sale that security matters and is worth the cost. If true beyond our small sample size, this should shape policy and tactics on awareness activities.

The last observation is the most important. In every sector there are a few C-level executives who are driving security in their companies. This includes the vendor category as well. How do we increase this number?

One possible idea and example, DHS supposedly provided a compelling demonstration to the Senate of a cyber attack on NY City’s electric system. If it is truly compelling, shouldn’t every utility see this. If it is not compelling, maybe we should allocate some of those hundreds of millions spent by the US Government on convincing the C-level executives that it is in their own interest to address this risk.

Take it a step further, maybe we should spend some of that money to educate the shareholders and public on these issues so they demand action. This is partially in line with legislative efforts to require companies inform stockholders of their assessed security posture. DHS may be gun shy to provide this information after the unplanned release via CNN of the Aurora demonstration cost a number of people their jobs.

Efforts to date to educate C-level executives have been unsuccessful, and that could either be because there isn’t a persuasive case or the case has been poorly made. My view is the latter, and if successful would have a bigger impact than regulatory efforts at a much lower cost for all.

Image by timo_w2s